| CVE-2026-45578 |
high |
8.8 |
8.8 |
|
|
|
20d ago |
WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a classic shell-metacharacter injection. The YPTSocket notification branch in plugin/Live/on_publish.php builds an execAsyn… |
| CVE-2026-43885 |
high |
— |
8.0 |
|
|
|
29d ago |
AVideo Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor and Missing Authorization |
| CVE-2026-40926 |
high |
— |
8.0 |
|
|
|
2mo ago |
WWBN AVideo has Multiple CSRF Vulnerabilities in Admin JSON Endpoints (Category CRUD, Plugin Update Script) |
| CVE-2026-33492 |
high |
— |
8.0 |
|
|
|
3mo ago |
AVideo has Session Fixation via GET PHPSESSID Parameter With Disabled Login Session Regeneration |
| CVE-2026-33485 |
high |
— |
8.0 |
|
|
|
3mo ago |
AVideo has an Unauthenticated Blind SQL Injection in RTMP on_publish Callback via Stream Name Parameter |
| CVE-2026-43884 |
high |
7.7 |
7.7 |
|
|
|
29d ago |
AVideo has SSRF Protection Bypass via HTTP Redirect and DNS Rebinding in isSSRFSafeURL() |
| CVE-2026-43873 |
high |
7.5 |
7.5 |
|
|
|
1mo ago |
AVideo: Unauthenticated Disclosure of CloneSite `myKey` via Error Echo in `cloneClient.json.php` Enables Cross-Site DB Dump of the Configured Clone Server |
| CVE-2026-43874 |
high |
7.2 |
7.2 |
|
|
|
1mo ago |
AVideo has an Incomplete Fix for YPTSocket autoEvalCodeOnHTML Strip: Unauthenticated Cross-User JavaScript Execution via `$msg['json']` Relay Bypass |
| CVE-2026-43875 |
medium |
6.8 |
6.8 |
|
|
|
1mo ago |
AVideo: Password Hash Leak in MobileManager OAuth Redirect URL Enables Account Takeover |
| CVE-2026-45619 |
medium |
6.5 |
6.5 |
|
|
|
20d ago |
WWBN AVideo is an open source video platform. In 29.0 and earlier, EpgParser.php, plugin/AI/receiveAsync.json.php, and other locations do not use the $resolvedIP out-param of isSSRFSafeURL() for DNS … |
| CVE-2026-45610 |
medium |
6.5 |
6.5 |
|
|
|
20d ago |
WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a cross-site request forgery vulnerability on the 2FA toggle. plugin/LoginControl/set.json.php accepts POST type=set2FA val… |
| CVE-2026-43876 |
medium |
6.4 |
6.4 |
|
|
|
1mo ago |
AVideo: HTML Injection in notifySubscribers.json.php Allows Platform-Branded Phishing Emails to Channel Subscribers |
| CVE-2026-43878 |
medium |
6.1 |
6.1 |
|
|
|
1mo ago |
Video: Reflected XSS in plugin/Meet/iframe.php via Unescaped user and pass Parameters in JavaScript String Literal |
| CVE-2026-41062 |
medium |
— |
5.5 |
|
|
|
2mo ago |
WWBN AVideo has an Incomplete fix: Directory traversal bypass via query string in ReceiveImage downloadURL parameters |
| CVE-2026-34368 |
medium |
— |
5.5 |
|
|
|
2mo ago |
AVideo Vulnerable to Wallet Balance Double-Spend via TOCTOU Race Condition in transferBalance |
| CVE-2026-45580 |
medium |
5.4 |
5.4 |
|
|
|
20d ago |
WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a stored cross-site scripting vulnerability. The Live plugin's "YouTube-style" view renders the live transmission's stream … |
| CVE-2026-43879 |
medium |
5.4 |
5.4 |
|
|
|
29d ago |
AVideo has Blind SSRF in YPTWallet Donation Webhook via Missing isSSRFSafeURL() Check and CURLOPT_FOLLOWLOCATION Redirect Bypass |
| CVE-2026-43877 |
medium |
5.4 |
5.4 |
|
|
|
1mo ago |
AVideo: CSRF in userSavePhoto.php Allows Cross-Origin Overwrite of Authenticated Users' Profile Photos with Arbitrary Content |
| CVE-2026-46337 |
medium |
5.3 |
5.3 |
|
|
|
16d ago |
AVideo: Unauthenticated Arbitrary Image Read via Path Traversal in `view/img/image404Raw.php` |
| CVE-2026-45620 |
medium |
5.3 |
5.3 |
|
|
|
17d ago |
WWBN AVideo is an open source video platform. In 29.0 and earlier, objects/mention.json.php has no User::loginCheck() or admin gate. It only has an entry guard: preg_match('/^@/', $_REQUEST['term']) … |
| CVE-2026-43881 |
medium |
5.3 |
5.3 |
|
|
|
29d ago |
AVideo: Unauthenticated User Enumeration in objects/users.json.php via isCompany Parameter Allows Bypass of the Admin-Only Listing Restriction |
| CVE-2026-43880 |
medium |
5.3 |
5.3 |
|
|
|
29d ago |
AVideo: Unauthenticated Arbitrary Email Sending via sendEmail.json.php Enables Phishing from the Site’s Legitimate From Address |
| CVE-2026-45731 |
medium |
4.9 |
4.9 |
|
|
|
17d ago |
WWBN AVideo is an open source video platform. In 29.0 and earlier, view/update.php reads $_POST['updateFile'] as a relative path under updatedb/ and passes it to PHP's file() for line-by-line executi… |
| CVE-2026-43882 |
medium |
4.3 |
4.3 |
|
|
|
29d ago |
AVideo: Unauthenticated CRLF/ICS Injection in Scheduler downloadICS.php Allows Calendar Event Spoofing |
| CVE-2026-43883 |
medium |
4.2 |
4.2 |
|
|
|
29d ago |
AVideo: IDOR in PayPalYPT Plugin Allows Any Authenticated User to Cancel Arbitrary PayPal Subscription Agreements |
